Best Effort and Practice Activation Codes 



Gerhard dc Koning Gans^ and Eric R. Vcrheul^'^ 

^ Institute for Computing and Information Sciences 

Radboud University Nijmegen 
P.O. Box 9010, 6500 GL Nijmegen, The Netherlands 
{gkoningg, eric . verheul}(§cs .ru.nl 
^ PricewaterhouseCoopers Advisory 
P.O. Box 22735, 1100 DE Amsterdam, The Netherlands 
eric . verheulOnl . pwc . com 



Abstract. Activation Codes are used in many different digital services 
and known by many different names including voucher, e-coupon and 
discount code. In this paper we focus on a specific class of AGs that are 
short, human-readable, fixed-length and represent value. Even though 
this class of codes is extensively used there are no general guidelines for 
the design of Activation Code schemes. We discuss different methods that 
are used in practice and propose BEPAC, a new Activation Code scheme 
that provides both authenticity and confidentiality. The small message 
space of activation codes introduces some problems that are illustrated by 
an adaptive chosen-plaintext attack (CPA-2) on a general 3-round Feis- 
tel network of size 2^". This attack recovers the complete permutation 
from at most 2""^^ plaintext-ciphertext pairs. For this reason, BEPAC 
is designed in such a way that authenticity and confidentiality are in- 
dependent properties, i.e. loss of confidentiality does not imply loss of 
authenticity. 

Keywords: activation code, e-coupon, voucher, Feistel network, small 
domain encryption, financial cryptography. 

1 Introduction 

This paper introduces Activation Codes (AGs) as a generic term for codes that 
are used in many different digital services. They are known by many different 
names including voucher, e-coupon and discount code. The common properties 
of these codes are that they need to be short, human-readable, have a fixed 
length and can be traded for economic benefit. There are schemes [4,5,8] that 
include all kinds of property information in the code itself or include digital 
signatures [14,12]. This makes the codes unsuitable for manual entry and thus 
for printing on products, labels or receipts. The focus of this paper is on AGs 
that can be printed and manually entered such as the AG that is printed on a 
receipt in Figure 1. In this case the customer can enter the AG 'TY5FJAHB' on a 
website to receive some product. We propose a scheme called BEPAG to generate 
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and verify this class of AGs. BEPAC is an acronym for Best Effort and Practice 
Activation Codes. Here ^best practice^ covers the use of a keyed hash function to 
satisfy authenticity and 'best efforV covers the use of a Feistel network to satisfy 
confidentiahty. 

Security plays an important role in the 
design of an AC system because of the 
economic value it represents. A system 
breach could result in big financial losses. 
Nevertheless, to the best of our knowl- 
edge, there are no guidelines on the de- 
sign of secure AC systems that consider 
the previously mentioned properties. De- 
spite the lack of general guidelines for 
good practice, ACs are extensively used. 
This underlines the need for a proper AC Fig. 1: Activation Code 

scheme that relies on elementary, well- 
studied, cryptographic primitives to provide authenticity and confidentiality. 
First, we discuss some examples that illustrate the need for a scheme that pro- 
vides both confidentiality and authenticity. Then, we give a general definition of 
an AC scheme and use it as a reference throughout this paper. 

Our Contribution This paper addresses some known methods that are used to 
generate ACs and proposes BEPAC, an AC scheme that combines best effort 
with best practice. BEPAC is based on well-studied cryptographic primitives 
to guarantee unique and authentic codes that provide a satisfactory level of 
confidentiality. Confidentiality is obtained by a Feistel construction. The Feistel 
construction has weak theoretical bounds when it is used on a small domain, 
therefore we do not rely on it for authenticity. We use the work of Black and Ro- 
gaway [3] on small domain encryption and make some small changes to achieve 
confidentiality. A practical attack on a general 3-round Feistel network is pre- 
sented to demonstrate the weak bounds of the Feistel construction. For authen- 
ticity, we solely rely on a keyed-hash message authentication code (HMAC) of 
the serial number, where the size of this HMAC determines the probability of 
successfully guessing a valid AC. This separated design allows a separate anal- 
ysis of both confidentiality and authenticity. An advantage of this approach is 
that authenticity is not automatically compromised when confidentiality is bro- 
ken. Finally, a BEPAC solution fits on a smart card and therefore allows AC 
generation and clearance to be performed in a controlled environment. 

Related Work Black and Rogaway [3] propose the Generalized Feistel Cipher 
(GFC) as a solution to small domain encryption. This elegant solution can be 
used to construct a permutation on any finite domain. In the BEPAC scheme we 
use their method in a slightly adapted way and solely to provide confidential- 
ity. Black and Rogaway provide an adapted proof of Luby [15] to prove secrecy 
of a 3-round Feistel network. However, in their example configuration, the sin- 
gle DES round function does not give the 3 x 56-bit security since single DES 



can be broken by exhaustive key search [25]. Moreover, in this setting it can 
be broken round by round which actually means that we have 58-bit security. 
Bellare et al. [2] propose 128-bit AES as a pseudo-random function which dras- 
tically increases the effort needed to break one round of the Feistel network 
by brute-force. However, the adaptive chosen-plaintext attack (CPA-2) on a 3- 
round Feistel network presented in this paper shows that the key length of the 
pseudo-random function used in each round does not have any influence on the 
attack complexity. Research on Feistel networks [22,20,19,15,13,21] has resulted 
in theoretical security bounds. Feistel constructions of six or more rounds are se- 
cure against adaptive chosen plaintext and chosen ciphcrtext attacks (CPCA-2) 
when the number of queries m <^ 2", sec [22.13]. There is more related literature 
on the design of AGs, but to the best of our knowledge there are no proposals 
for the class of AC schemes that we discuss in this paper. Blundo et al. [4,5,8] 
introduce an e-coupon which is 420 bytes in size. This scheme uses a message 
authentication code (MAC) over some characterizing data like the identity of 
the manufacturer, name of the promoted product, expiry date etc. The resulting 
e-coupons contain valuable information but are too large to be entered manually 
by a user. In the work of Kumar et al. [14] and Jakobssen et al. [12] a coupon is 
basically a digital signature which also means that they describe relatively large 
e-coupons. Chang et al. [6] recognize the problem of efficiency and describe a 
scheme that is more suitable for mobile phones that have less processing power. 
On the one hand, they circumvent the use of public key cryptography which 
reduces the computational complexity, but on the other hand, their scheme de- 
scribes relatively long codes. None of the schemes described previously satisfy 
the requirement of short codes that can be entered manually. 

Matsuyama and Fujimura [17] describe a digital ticket management scheme 
that allows users to trade tickets. The authors discuss an account based and a 
smart card based approach and try to treat different ticket types that are solely 
electronically circulated. This in contrast with BEPAC which focuses on codes 
that can easily be printed on product wrappings. Our intention is not to define 
a trading system where ACs can be transfered from one person to another. Such 
contextual requirements are defined in RFC 3506 as Voucher Trading Systems 
(VTS). Terada et al. [28] come with a copy protection mechanism for a VTS and 
use public key cryptography. This makes the vouchers only suitable for electronic 
circulation. Furthermore, RFC 3506 and [17] do not discuss methods on how to 
generate these vouchers securely. We propose the BEPAC scheme in order to fill 
this gap. 

2 AC Scheme Selection 

This section first discusses some examples of AC systems. Then, two different 
approaches to set up an AC scheme are discussed and their main drawbacks 
are visited. After this, the Generalized Feistel Cipher of [3] is introduced in 
Section 2.1 which has some useful concepts that we use in our scheme. The 
focus of an AC scheme design lays on scalability, cost-efficiency and off-line use. 



Finally, forgery of AGs should be hard, an adversary is only able to forge AGs 
with a very small predefined probability. 

Examples of Activation Codes First, we discuss some examples of AGs in real 
life. A good first example is the scratch prepaid card that is used in the telecom- 
munication industry. To use a prepaid card, the customer needs to remove some 
foil and reveals a code that can be used to obtain mobile phone credits. Then we 
have the e-coupon which is a widely used replacement for the conventional paper 
coupon. An e-coupon represents value and is used to give financial discount or 
rebate at the checkout of a web shop. The last example is a one-time password 
that gives access to on-line content. This content should only be accessible to 
authenticated people who possess this unique password; think of sneak previews 
of new material or software distribution. 

All the aforementioned examples use unique codes that should be easy to 
handle, that is, people should be able to manually copy AGs without much 
effort. At the same time, it should be impossible for an adversary to use an 
AG more than once or autonomously generate a new valid AG. Altogether, AGs 
are unique codes that have to guarantee authenticity. An AG system provides 
authenticity when an adversary is not able to forge AGs. It is a misconception 
that authenticity only is enough for an AG scheme. In the end, most AG systems 
are used in a competitive environment. When vendor A starts a campaign where 
AGs are used to promote a product and provide it for free to customers, then 
it is not desirable that vendor B finds out details about this campaign like the 
number of released AGs. Other sensitive details might be the value that different 
AGs represent or the expiry date of AGs. It is for this reason that we need 
confidentiality, which means that an adversary is not able to recognize patterns 
or extract any information from a released AG. 

Many systems use codes that need to provide the properties discussed above. 
In this paper we refer to all these codes as AGs. By an AG scheme S we indicate 
a tuple {A,Af,V, A) where A is the size of the used alphabet, TV is the number 
of desired AGs, P determines the probability P = of an adversary guessing 
an AG and A is the length of the AGs. 

Database Approach The database approach is very straightforward and con- 
sists of a database that contains all the released AGs and their current status. 
The generation of new AG entries is done by a pseudo-random function. When 
a customer redeems an AG, its status is set to 'used'. An advantage of the 
database approach is that the randomness of the AGs is directly related to the 
randomness of the pseudo-random generator. So, it is important to select a good 
pseudo-random generator, e.g. a FIPS certified one. On the other hand, the 
protection of this valuable data is still a problem. For instance, if an attacker 
manages to add entries to the database or is able to change the record status 
to 'unused', it will be hard to detect this fraud in time. Also, it is necessary to 
check any new AG against all existing entries since there might be a collision. 
As a consequence, access to the complete set of AGs is needed on generation of 
new AGs. 



Block Cipher Approach Another approach is to use a block cipher that gives 
a random permutation F : {0, 1}" — > {0, 1}" from serial numbers to AGs. The 
provider maintains a counter i to keep track of the number of generated AGs. 
This way the authenticity of a serial number can be checked since only AGs 
that decrypt to a serial < i are valid. A disadvantage of this method is the size 
of the rcsuhing AG which is 128-bits for AES and 64-bits for 3DES. For AES, 
this results in a string of about 21 characters when wc use numbers, upper- 
and lowercase characters in our alphabet. For 3DES, this is about 11 characters. 
Smaller block ciphers do exist, like Katan [10] which is 32-bits, but arc not 
very well-studied. Furthermore, block ciphers force AGs to have a length that 
is a multiple of the block size b. An alternative could be the concept of elastic 
block ciphers [9] which is an extended scheme where variable message sizes are 
allowed as input. Moreover, this scheme uses well-studied block ciphers. Still, 
the minimal size of a plaintext message is the block size b of the incorporated 
block cipher. So, this does not give any advantage and is still too large for our 
target, which is roughly 20 to 50-bit codes. 

2.1 Small Domain Ciphers 

Black and Rogaway introduce the Generalized Feistcl Giphcr (GFG) in [3]. The 
GFG is designed to allow the construction of arbitrary domain ciphers. Here, 
arbitrary domain means a domain space that is not necessarily {0, 1}". For AGs 
we want to use a small domain cipher where the domain size can be customized 
to a certain extent, therefore wc look into the proposed method in [3]. Before 
we describe the Generalized Feistel Gipher, wc briefly visit the basic Feistel 
construction. 

Feistel Network A Feistel network [16] is a permutation that 
takes an input x of size 2n, then performs a number of rounds r 
with round functions /i, fr, and finally delivers an output y of 
size 2n. The input is split into two blocks {L, R) € {0, 1}^^". As 
shown in Figure 2. every right block is input to a round function 
fi. The output of this function is combined with the left block 
and becomes the new right block, e.g. L' = fi{R) + L for GFG. 
The original right block becomes the new left block. For the ease 
of decryption the last output blocks are swapped in case of an 
odd number of rounds (which is the case in Fig. 2). 

Generalized Feistel Cipher The GFG of Black and Rogaway [3] was intro- 
duced to handle flexible domain sizes. Take for example an encryption E : 5^"* — >■ 
5^'' which is not a domain that is captured by standard block cipher algorithms. 
The BEPAG scheme borrows some of the ideas of GFG to be able to construct 
arbitrarily sized AG configurations. 

In GFG the left and right block of the Feistel network are "similarly sized" 
which means that their domain size may deviate a little. For the particular 
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Fig. 2: Feistel 



case of AGs we have looser restrictions on the arbitrariness of our domain and 
we can increase the guessing probability V to influence the domain size. As a 
consequence, the system parameters of BEPAC can be chosen such that the left 
and right block are equally sized. 

An obvious way to use the Feistel network is to create a pseudo-random 
permutation F : /C x — > where K. and M are the key space and message 
space respectively. To generate AGs, we take as plaintext an index i and use the 
resulting ciphertext as AG a. In order to check a the provider keeps track of the 
last index i and considers a given a valid when F~^(a) < i. This construction 
guarantees: 

1. Gollision-freeness, since is a permutation. 

2. Valid serial numbers, they cannot be predicted since is a pseudo-random 
permutation. 

As Black and Rogaway already conclude in [3] the Generalized Feistel Gipher 
has weak security bounds when used in applications where the message space is 
roughly from k = 2'^" up to fc = 2^". This suggests that our second argument 
might not be that strong. 

Also, the serial i is kept secret and one might argue that this presumes un- 
forgeability. However, the way i is embedded allows an adversary to make useful 
assumptions about i since the AGs are generated using consecutive numbers. In 
the GFG, the left block L and right block R are initiated as follows: 

i = imod2", R=li/T\ 

Here, L represents the least significant bits of i, and the successor of every i 
always causes a change in L. On the contrary, when i is sequentially incremented, 
the value of R changes only once every 2" times. This way, the first 2" AGs are 
generated with R = 0, the second 2" AGs with R = 1, etc. The problems that 
this little example already points out are further explained in the next section. 

3 Feistel Permutation Recovery using CPA-2 

In this section we present a practical attack on a three-round Feistel construction 
in order to illustrate the problem of choosing a small number of rounds and using 
a serial embedding as suggested by Black and Rogaway [3]. 

Theorem 1. Consider a three-round 2n-bit Feistel construction. Then there ex- 
ists an algorithm that needs at most 2"+^ adaptive chosen plain- / ciphertext pairs 
to compute any ciphertext from any plaintext and vice versa without knowledge 
of the secret round keys and regardless the used key length. 

Proof. The two ciphertext blocks are defined in terms of the plaintext blocks as 
follows: 

R' = f2{fi{R) + L) + R 

L" = /3(/2(/i(i?) +L) + R) + f,{R) + L (1) 
^ f-i{R') + fi{R) + L 



Note that L" uses R' as input to /3(-)- With Li we denote L ^ i and similarly 
Rj denotes R ~ j. The notation R[i j'f rneans the value of i?' when Li and 
Rj are used as input blocks. We first observe that several triples (/i,/2,/3) 
lead to the same permutation and show that it is always possible to find the 
triple with /i(0) = 0. To this end, if we replace the triple (/i,/2,/3) with the 
triple (/i,/2j/3) defined by Equation (2), this leads to the same permutation 
(Equation (1)) with the desired property that /{(O) = 0. 

f[ix) = /i(x)-/i(0), /^(.t) = Mx + hiO)), f^{x) = f3ix) + hi0) (2) 

So, without loss of generality we may assume that /i(0) = 0. 

Next, we describe a method to find a triple (/i, /2, /s) with /i(0) = 0. First, 
we determine /2, then fi and finally /s. 

By Equation (1) we get /2: 

/2(/i(-Ro) + Li) = - i?o = R[ifi) =^ f2{Li) 0) (3) 

Now, to find /i observe that is a solution for x in the equation f2{x) = 
^'{0 j) ~ However, this equation does not always have one unique solution 
since /2 is a pseudo-random function. In case of multiple solutions we compare 
the output of successive (wrt. x) function inputs with the values for f2{x + i) 
that were found using Equation (3). Then, the correct x is the unique solution 
to: 

f2ix + i) = R[i.j) - R] for t = 0, . . . , m (4) 

Sometimes m = already gives a unique solution. At the end of this section we 
show that with very high probability m — 1 defines a unique solution. We find: 

= ^ (5) 

When /i and /2 are both determined, L and R can be chosen such that every 
value for R' G {0, . . . , 2" — 1} is visited. Since R' functions as direct input to /s 
it is possible to find all input-output pairs for /s. To visit every possible input 
value z = 0, . . . , 2" — 1 find a pair L^, Rj such that .-^ ~ z. First, find an 
index x such that /2 {x) ^ z — Rj. If such an x does not exist choose a different 
value for Rj. There is always a solution for x since Rj covers the whole domain 
of /2. Second, derive Li. 

f2{h{Rj) + L,) ^ h{x) L, = x^h{R.j) (6) 

Note that the determination of Li and Rj does not need any intermediate queries 
since it is completely determined by /i and /2. Next, we query the system with 
Li and Rj and use Equation (3) and (5) to compute /s as follows: 

h{x)=Ll^.^^-h{Rj)-L, (7) 

This completes the solution for a triple (/i, /2, /3) that results in the same per- 
mutation as the Feistel construction under attack. 



Number of Queries The determination of /2 is given by Equation (1) and costs 
2" queries. The determination of /i is given by Equation (4). The probabihty p 
that there exists an x' ^ x for a preselected x such that 

(/2(X) = A j /\ h{x + l)=f2{x'+l)\ (8) 

\ ..,m / 

can be spUt into two parts. First, we have the probabihty pi that there is a 
colhsion f2{x) — f2{x') with x ^ x'. Then, the second probability p2 covers 
cases where a preselected position f2{x + i) has the same value as some other 
preselected position f2{x' + i). We take fc = 2" and the two probabilities are 
then given by pi = 1 — (^^)''''^^' and P2 = p Now, p = pi ■ because 
we need to multiply by p2 for every other successive match. To conclude, the 
probability that there is a.n x' x for a Feistel construction of size 2 • k and 
with m successive queries, i.e. the probability that there is no unique solution x 
to Equation (4), is the probability 

1 1 /k~l\''-^ 

So, p < -p^ and depending on the size k, m = 1 already gives p close to zero. 
In practice one might sometimes need an additional query (m = 2) or only one 
query (m = 0), but on average m = 1. This means that the cost for determination 
of /i is 2 ■ 2" queries on average. Then, the determination of /a is given by 
Equation (7) and costs at most 2" queries. As a result, the determination of 
(/i; /2, /s) has an upper bound of 2"+^ queries. 



4 BEPAC Scheme 



In this section we propose our Activation Code Scheme called BEPAC. Its pri- 
mary objective is to ensure authenticity and its secondary objective is to provide 
confidentiality. Confidentiality is satisfied up to the security bounds given by 
Black and Rogaway in [3]. In the BEPAC scheme, loss of confidentiality does 
not affect the authenticity property. 

The authenticity is achieved in an obvious way by the use of an HMAC which 
is a keyed hash function. We take the truncated HMAC /i of a sequence number 
i and concatenate it to i itself. For this concatenation we use an embedding 
m like the one used by Black and Rogaway in [3] and Spies in [2]. We rely on 
the strength of the underlying hash function which covers the best practice part 
of our solution: ACs are not forgeable. The length of an HMAC is usually too 
long for the ease of use that is demanded for ACs. Therefore we introduce the 
probability P = ^ that puts a lower bound on the success rate of guessing correct 
ACs. We use this parameter to limit the length of the codes, i.e. V determines 
the size of the HMAC. A lower success probability for an adversary is achieved 
by concatenating a bigger part of the HMAC and thus results in a longer AC. 



Our solution differs from encryption sclieines for small domains [3,18] in the 
sense that we make a clear separation between the part that provides authen- 
ticity and the part that provides confidentiality. The latter is added as an ad- 
ditional operation on the embedding m. We use a balanced Feistel construction 
as proposed in [3] to create the necessary confusion and diffusion. This separa- 
tion between authenticity and confidentiality is really different from an approach 
where the sequence number i is directly fed into a Feistel construction and when 
it solely depends on this construction for its authenticity. The attack in Section 3 
demonstrates that we cannot rely on a Feistel construction for authenticity when 
it is used on a small domain. These results form the basis of our design decision. 
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4.1 AC Scheme Setup 

The BEPAC scheme setup is a construction Serial / 

(see Fig. 3) where an embedding m of an in- i 

dex i and a part of HMAC(z) are fed into a 
Feistel network. Since this is a balanced Feis- 
tel network, m needs to be divided into two 
equally sized blocks. When this is not possible 
a small part h' of HMAC(z) bypasses the Feis- 
tel network and is embedded together with the 
cryptogram c from the Feistel network to form 
AC a. 

The BEPAC scheme 5 is a tuple 

A/", 7-", A, w) where A is the size of the al- 
phabet, A -I- a; is the length of the ACs where 
A is always even and lo is cither or 1. Then, 
M is the number of ACs and V determines the 
probability P = ^ oi obtaining a valid AC by 
a random guess, e.g. V = 10.000. We assume A <V. 

Definition 1 (Valid AC Scheme). An AC scheme S 
valid when A^ ^ TV x P x A^'^ holds and A is even. 

A valid AC scheme S can be obtained as follows: 



\slA\ 
-- s mod A. 
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Fig. 3: BEPAC Scheme 
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(a) The user chooses the alphabet size A, desired number of ACs M and some 
minimal guess probability -p. 

(b) Now the minimal length A is calculated such that A'^ >= TV x P by taking 
A ^ \Aog{N X V)\ 

(c) - TV X r \ is minimized by taking V = IA^/N\ 

(d) The length A can be either odd or even: 

— When A = 2fc -I- 1 and A <V then we adjust V such that ^ is a divisor 
of "P. As a consequence, we might have a larger number of ACs M. 

V^P-{PmodA), Af^lA^/Vl 

After these operations we obtain the system iS = (.4., TV, P, A — 1, 1). 

— When A = 2A; we obtain the system S = (^,TV, V, A, 0). 

(e) The process is repeated from step (a) when no valid system S is found. 



4.2 Generation 

This section describes the generation of new AGs once a vahd AC scheme is con- 
figured. Algorithm 1 contains the pseudo code for AC generation. The plaintext 
is an embedding m of a part of HMAC(i) and i itself. In case of an odd AC 
length (a; = 1) a small part h' of HMAC(i) is excluded from this embedding. 
The part of HMAC(z) that is used in m is determined by V. 

s = HMAC(i) mod T', h=lsxA^'^\, h' = s mod A, m^hxAf+i 

The balanced Fcistcl construction is defined with: 

k = , L = m mod fc, R ^ [m / k\ 

L and R arc input blocks with size A: of a balanced Feistel network. We denote 
the output blocks after r rounds by and R*. When the number of rounds r 
is even the cryptogram c is given by: 

R* X k + L'' 

When r is odd, the left and right block are swapped and the cryptogram c is 
given by: 

L* xk + R* 

This difference between odd and even is there to allow the same construction for 
encoding and decoding. Finally, the activation code a is given by: 

a = c X A'^ + ujh' 

4.3 Verification 

This section describes the verification of previously generated ACs for a valid 
AC scheme. Algorithm 2 contains the pseudo code for AC verification. Given an 
AC a and an AC scheme S the validity can be checked as follows. First compute 
c and h' from a: 

c ^ [a/A'^\ , h' = a mod 

The balanced Feistel construction is defined with input block size 
Now, the input blocks L and R are obtained from c as follows: 

L = c mod k, R = [c/fcj 

L and R are input blocks with size fc of a balanced Feistel network. We denote 
the output blocks after r rounds by L* and R*. In this case we want to decrypt 
and therefore use the round keys in reverse order. When the number of rounds 
r is even the plaintext m is given by: 



R* X k + L* 



When r is odd, the left and right block are swapped and the plaintext m is given 
by: 

m = L* X k + R* 

Now, we are able to obtain the partial HMAC h and index i from m by: 
h ^ \ m/J\f\ , i = m mod TV 



We calculate the partial HMAC ht and h[ like in the encoding, but now we 
use the recovered index i. Finally, we say that a is a valid AC iS ht ~ h and 
ujh't = ujh' . 



Algorithm 1 GENERATE(i) 


Algorithm 2 VERiFY(a) 


k ^ ^(^z^) 




s <- HMAC(i) mod V 


c [a/ J ; h' i— a mod 


/i <- [s X A^'^i 


L i— c mod A:; i?, — [c/A;J 


h' ■<— s mod A 


for _7 r to 1 do 


m <— h X Af + i 


tmp <— {L fj{R)) mod k 


L ^ m mod k\ i? \rn/k\ 


L <— R: R <— tmp 


for J 1 to r do 


end for 


tmp -i— (L + fj (R)) mod k 


if r is odd then 


L <- R; B. ^ tmp 


rn ■^— L X A; + 7? 


end for 


else 


if r is odd then 


m i? X A; 4- -£/ 


c <— L X k + R 


end if 


else 


h [m/7\Aj ; i m mod 


c R. X k + L 


s ^ HMAC{i) mod P 


end if 


/it ■^- [s- X ^l^^^J 


a <— c X A" + ujh' 


/i^ <— s mod ^ 




if ht — h and w/i^ — uh' then 




Valid 




else 




Invalid 




end if 



5 Example Application: Smart Card 

In this section we want to give an example of an Activation Code System (ACS). 
In an ACS there are a few things that need to be managed. The index i of 
the latest generated AC and the ACs that have been used so far. Since this 
information is highly valuable and represents financial value it must be well 
protected. Think of an application where the ACs are printed on prepaid cards 
covered by some scratch-off material. The production of these cards is a very 
secured and well-defined process to ensure that activation codes are kept secret 
during manufacturing. These cards need to have all kinds of physical properties, 
e.g. the AC should not be readable when the card is partly peeled off from the 
back. This can be achieved by printing a random pattern on top of the scratch-off 
foil. 

At some point there is a very critical task to be executed when the ACs 
need to be delivered to the manufacturer. An obvious method to do this is to 
encrypt the list of ACs with a secret key. Later on in the process, this list of 
randomly generated codes needs to be maintained by the vendor who sells the 
scratch cards. This induces a big security threat since leakage of this list or 
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Table 1: BEPAC Configurations 



unauthorized modification results in financial loss. Especially when it directly 
relates to the core business like in the telecommunications industry. 

The use of a secure application module (SAM) significantly reduces this risk. 
A SAM is typically a tamper-resistant device, often a smart card, which is in 
most cases extensively tested and certified in accordance to a standard, e.g. 
the Common Criteria^. The elegance of the solution presented in this paper 
is that it can be implemented using smart cards. The supplier determines the 
probability P, number of codes M , size of character set A and the key K to 
be used. An obvious approach is to use two smart cards since the production 
and clearance of activation codes are very likely to happen at two different 
locations. Both smart cards are initialized using the same AC scheme iS and the 
same key K . From that moment on the first one only gives out up to M new 
activation codes. The second one is used at the clearance house to verify and 
keep track of traded activation codes. This can be done by a sequence of bits 
where the i-th bit determines whether the i-th activation code has been cleared. 
For 1.000.000 activation codes approximately 122 kB of storage is needed. This 
fits on a SmartMX card [27] which is available with 144 kB of EEPROM. Of 
course, multiple cards can be used if more ACs are needed. 

6 Analysis 

In this section we discuss the system parameters of BEPAC and decide on some 
minimal bounds and algorithms. We tested a 6-round BEPAC scheme for obvious 
flaws using the NIST random number test [26]. This test implementation also 
delivered the numbers in Table 1 which give a good indication of the length / of 
the codes compared to different AC scheme configurations. In the left column the 
desired values are given for the number of codes N and the guessing probability 
v. We tested these different numbers for three different alphabet sizes A. 

Number of Rounds Wc found good arguments to set the minimum number of 
rounds to six for the BEPAC scheme. The literature shows that Feistel con- 
structions of six or more rounds are secure against adaptive chosen plaintext 
and chosen ciphertext attacks (CPCA-2) when the number of queries m <?C 2", 



^ http: //www . commoncriteriaportal . org 



see [22,13]. Patarin [21] shows that an adversary needs at least 2'^"/^ encryptions 
to distinguish a six-round Feistel construction from a random permutation. A 
six round Feistel network sufficiently covers the risk of leaking serial number 
information, but this is of course a minimum. 

Key Derivation In the BEPAC scheme we need different round keys for every 
Feistel round and another different key for the calculation of the HMAC on 
the serial. We propose to derive these keys from an initial randomly chosen 
key [1] by a key derivation function (KDF). There are several definitions available 
for KDFs and we propose to use KDFl which is defined in ISO 18033-2 [11]. 
Recommendations for KDFs and their construction can also be found in [7] . The 
first key that is derived is used as the key in the HMAC calculation of h and h' 
(Section 4). After this the round keys for the Feistel construction are successively 
derived. 

Pseudo-random Functions Furthermore, we need to decide on the pseudo-random 
functions (PRFs) that are used as round functions of the Feistel network. The 
pseudo-randomness of the permutation defined by a Feistel network depends 
on the chosen PRF in each round [15]. It is straightforward to use a crypto- 
graphic hash function since we already need a hash function for the HMAC [24] 
calculation and it keeps our AC scheme simple. 

Hash Function In the end, the BEPAC scheme is solely based on a single crypto- 
graphic hash function. We follow the secure hash standard FIPS 180-3 [23] and 
propose to use an approved hash function like SHA-256. 

7 Conclusions 

In this paper we have introduced activation codes (ACs), short codes of fixed 
length, that represent value. These ACs should be scalable, cost efficient and 
forgery resistant. In the literature, several solutions [4,5,8,14,12,6,17,28,17] han- 
dle digital coupons or tickets that are somehow reminiscent to our notion of 
ACs. The difference is that most solutions use public key cryptography or other 
means that result in lengthy codes. In fact, these solutions come closer to some 
extended notion of digital cash and are not meant to give a solution on the gen- 
eration of ACs. To the best of our knowledge there is no scheme that focuses 
on the class of ACs that are described in this paper (roughly think of 20 to 
50-bit codes). Our proposed AC scheme for this class satisfies authenticity and 
confidentiality in a way that when confidentiality is compromised it does not 
automatically break authenticity and vice versa. 

In order to allow a relatively small and arbitrary message space for our AC 
scheme we use some of the ideas of Black and Rogaway [3] in their General- 
ized Feistel Cipher to satisfy the confidentiality in our scheme. Several stud- 
ies [22,20,19,15,13,21] show that the security bounds of Feistel constructions are 
not strong enough and thus make the use of Feistel constructions in small do- 
mains questionable. To illustrate this, we have demonstrated that CPA-2 allows 



an adversary to recover the complete permutation from only 2"+^ plaintext- 
ciphertext pairs. Still, the Feistel construction is suitable for the purpose of 
confidentiality in our AC scheme. Since confidentiality is a secondary goal, it 
relaxes the demands on the security bounds. Furthermore, in BEPAC the plain- 
text cannot be predicted which counters the attacks from the literature. And 
most important of all, a Feistel construction defines a permutation on the AC 
domain, which means in practice that we do not have to store any additional 
data in order to remember which ACs are already published and which are not. 

To conclude, we found satisfactory system parameters for the minimum num- 
ber of Feistel rounds and we defined a method to do the key derivation for the 
round keys. Furthermore, we suggested a specific pseudo-random function (FRF) 
and hash function for concrete implementations. Finally, we have implemented 
the BEPAC scheme^ and performed some statistical tests using the NIST Ran- 
dom Number Test [26]. This test did not reveal any obvious flaws. 

It might be interesting for future work to create a smart card implementation 
of BEPAC as suggested in Section 5. 
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